for cloud security Protecng your mission-crical data and applicaons in the cloud can best be accomplished through a joint effort between your organizaon and your cloud services provider (CSP). These 13 tips can help. 1 3 TIPS
Jan 15, 2015
for cloud security
Protecting your mission-critical data and applications in the cloud can best be accomplished through a joint effort between your organization and your cloud services provider (CSP).
These 13 tips can help.
13 tips
Know
Classify the data you will be storing and/or
processing in the cloud. How sensitive is it?
Does it have value as intellectual property?
Is it subject to privacy restrictions such as
those specified by HIPAA or Safe Harbor or
to standards such as PCI DSS? Then, define
the security controls that are appropriate to
protect that information. Make sure that the
CSP has the appropriate logical and physical
controls ─ and that they are effective.
Know Your Data1
1“Classify the data you will be storing and/or processing in the cloud.”
Create a transparent process that controls who
can see the information you are storing and/
or processing in the cloud, and then create a
“self-destruct” policy for sensitive information
that does not need to live indefinitely outside
of the confines of your organization.
Monitor
Monitor Data Usage2
“Create a transparentprocess that controls who can see information you are storing...”
2
SetConsider two-factor or multi-factor authentication
for all information that needs to be restricted. In
addition, consider a tier structure for your access
policies based on the level of trust you have for
each person who has access to your data. Using
the correct permissions and the rule of the "least
privilege" are among the best protections against
accidental or malicious detection. This applies to
your CSP too, as well as any companies that you
may work with that could potentially have access
to your data.
“Consider two-factor or multi-factor authentication for all information that needs to be restricted.”
Set TrustLevels3
3
Strengthen your risk-based authentication
techniques and issue security tokens to
employees. You’ll also want to make sure
your CSP employs identity access and
authentication tools that are equal or better
then what you have in place. For added
security, supplement authentication practices
with safeguards such as device or IP tracking
and behavioral profiling.
“Strengthen your risk-based authentication techniques and issue security tokens to employees.”
4
Beef up
Beef up AuthenticationTechniques4
LogPut comprehensive logging and reporting in
place. Logging is critical for incident response
and forensics – and the reports and findings
after the incident are going to depend heavily
on your logging infrastructure. Also, coordinate
with your CSP and make sure performance
metrics for reporting and auditing are included
in your service agreement.
“Also, coordinate with your CSP and make sure performance metrics for reporting and auditing are included in your service agreement.”
5
Log andReport5
Use
Make sure that your “golden image” virtual
machines and VM templates are hardened
and clean. This can be done with initial system
hardening when you create the images. Take
advantage of technologies that enable you
to update the images offline with the latest
service and security updates.
“Take advantage of technologies that enable you to update the images offline with the latest service and security updates.”
Use Infrastructure Hardening6
6
Employ
Protect sensitive data wherever it might
be ─ in motion, at rest or in use. Use whole
disk encryption, which ensures that all
data on the disk ─ not just user data files ─
are encrypted. This can also help prevent
offline attacks. All communications to host
operating systems and virtual machines
should also be encrypted.
“All communications to host operating systems and virtual machines should also be encrypted.”
Employ End-to-end Encryption7
7
Hold
Maintain an optimal security posture by
holding the encryption keys. Make sure to
retain ownership of your data by retaining
ownership of the encryption keys ─ and not
giving them to your CSP.
“Make sure to retain ownership of your data by retaining ownership of the encryption keys — and not giving them to your CSP.”
Hold Your Encryption Keys8
8
Develop
How you respond to threats and adverse
events – and how rapid that response is – is an
important component of security. Document
responses to events and implement programs
to facilitate those responses. Ask your CSP
to provide you with documentation of its
response plan as well.
“Document responses to events and implement programs to facilitate those responses.”
Develop a Plan and Educate Your Response Team9
9
Make
Perform data integrity checks, such as
Message Integrity Codes (parity, CRC),
Message Authentication Codes (MD5/
SHA) or Hashed Message Authentication
Codes (HMACs) to detect data integrity
compromise. If you detect data compromise,
restore the data from backup or from a
previous object version.
“If you detect data compromise, restore the data from backup or from a previous object version.”
Make Frequent Checks10
10
LeveraConsider employing managed security
solutions as an extra layer of protection.
Security, delivered as a service, allows you
to take advantage of leading-edge security
technologies and specialized security expertise
with no upfront capital investment.
“Consider employing managed security solutions as an extra layer of protection.”
Leverage Security-as-a-Service Solutions11
11
IsolateMake sure your CSP ensures isolation of
access so that software, data and services
can be safely partitioned within the cloud
and that tenants sharing physical facilities
cannot tap into their neighbors’ proprietary
information and applications.
“..tenants sharing physical facilities cannot tap into their neighbors’ proprietary information and applications.”
Isolate CSPAccess12
12
InsistWhether you are working with a CSP for the
first time or have had a long-term business
relationship, require maximum transparency
into your CSP’s operations. CSPs should
be able to provide log files, reports and
applications that allow IT administrators to
view data traversing their virtual networks
and events within the cloud in near real time.
“...require maximum transparency into your CSP’s operations.”
Insist Upon CSPTransparency13
11
To learn more about cloud security, including managed security services, contact Peak 10 at 866-473-2510 or email: [email protected].